sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(gotmpl): Refactor from external to existing secrets

Browse Source 
Signed-off-by: Axel Lender <lender@b1-systems.de>
This commit is contained in:
Axel Lender
2025-11-20 20:43:04 +01:00
parent 3f2cf149e7
commit 3890df064e
24 changed files with 226 additions and 226 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
docs/external-secrets.md → docs/existing-secrets.md
View File

@@ -3,9 +3,9 @@ SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlic
SPDX-License-Identifier: Apache-2.0
-->
<h1>External Secrets</h1>
<h1>Existing Secrets</h1>
This document covers how to utilise external secrets and special requirements. The examples documented here are mostly showing the format with the openDesk default values.
This document covers how to utilise existing secrets and special requirements. The examples documented here are mostly showing the format with the openDesk default values.
<!-- TOC -->
* [General](#general)
@@ -20,15 +20,15 @@ This document covers how to utilise external secrets and special requirements. T
# General
⚠ ATTENTION: This feature is still in early development. For now you can't simply replace plain secrets with external secrets because some secrets are used several components where some maybe don't support external secrets by now.
⚠ ATTENTION: This feature is still in early development. For now you can't simply replace plain secrets with existing secrets because some secrets are used several components where some maybe don't support existing secrets by now.
For most components when set the external secret will supersede e.g. a password in a `values.yaml` file.
For most components when set the existing secret will supersede e.g. a password in a `values.yaml` file.
The file [`external_secrets.yaml`](/helmfile/environments/default/external_secrets.yaml.gotmpl) lists all possible references to external secrets that are currently implemented in openDesk.
The file [`existing_secrets.yaml`](/helmfile/environments/default/existing_secrets.yaml.gotmpl) lists all possible references to existing secrets that are currently implemented in openDesk.
# Components
This section covers information and special requirements to external secrets that some Helm Charts expect.
This section covers information and special requirements to existing secrets that some Helm Charts expect.
## Cassandra
@@ -50,7 +50,7 @@ This has to be adapted into a secret that also holds a `cql` script and is named
## Keycloak
Several external secrets utilised by the Keycloak bootstrap chart are expected in a special format and/or key.
Several existing secrets utilised by the Keycloak bootstrap chart are expected in a special format and/or key.
### Admin credentials
@@ -63,7 +63,7 @@ stringData:
### ox-connector
The secret `openxchangeConnector.provisioningApiPassword` has to provide a JSON file. The value `.Values.secrets.oxConnector.provisioningApiPassword` is taken from the default openDesk install without external secrets and has to be replaced by some secret value. The following format is expected:
The secret `openxchangeConnector.provisioningApiPassword` has to provide a JSON file. The value `.Values.secrets.oxConnector.provisioningApiPassword` is taken from the default openDesk install without existing secrets and has to be replaced by some secret value. The following format is expected:
```yaml
stringData:
@@ -76,7 +76,7 @@ The secret `nubus.ldapSearch.keycloak` has the requirement to use `password` as
### SSOFederation and Clients
Values taken from those external secrets will supersede secret values that are already present for the `client`/`IdP` in the configuration or add them accordingly. Further the secrets for the have to provide a `yaml` file in a special format. Both formats rely on the same key as used in the configuration respectively. The expected format for each configuration can be seen in the table below:
Values taken from those existing secrets will supersede secret values that are already present for the `client`/`IdP` in the configuration or add them accordingly. Further the secrets for the have to provide a `yaml` file in a special format. Both formats rely on the same key as used in the configuration respectively. The expected format for each configuration can be seen in the table below:
|Section |Format |
|-----------------------------------------------------|-------------|
@@ -123,7 +123,7 @@ Values taken from those external secrets will supersede secret values that are a
## MinIO
Like described in the [upstream `values.yaml`](https://github.com/bitnami/charts/blob/main/bitnami/minio/values.yaml#L1595) credentials and information about a user in external secrets listed in `usersExistingSecrets` have to be formatted as follows:
Like described in the [upstream `values.yaml`](https://github.com/bitnami/charts/blob/main/bitnami/minio/values.yaml#L1595) credentials and information about a user in existing secrets listed in `usersExistingSecrets` have to be formatted as follows:
```yaml
stringData:
@@ -167,11 +167,11 @@ stringData:
## XWiki
Properties listed in the file of the external secret will overwrite plain values.
Properties listed in the file of the existing secret will overwrite plain values.
Licenses can also be given via properties and require the format `licenses=<EnterpriseLicense>,<Applicationslicense>`.
Like described in the [upstream `values.yaml`](https://github.com/xwiki-contrib/xwiki-helm/blob/master/charts/xwiki/values.yaml#L435) credentials and information about a user in external secrets listed in `propertiesSecret` have to be formatted as follows:
Like described in the [upstream `values.yaml`](https://github.com/xwiki-contrib/xwiki-helm/blob/master/charts/xwiki/values.yaml#L435) credentials and information about a user in existing secrets listed in `propertiesSecret` have to be formatted as follows:
```yaml
stringData:

8
docs/security.md
View File

@@ -12,7 +12,7 @@ This document covers the current status of security measures.
* [Helm Chart Trust Chain](#helm-chart-trust-chain)
* [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
* [NetworkPolicies](#networkpolicies)
* [External Secrets](#external-secrets)
* [Existing Secrets](#existing-secrets)
<!-- TOC -->
# Helm chart trust chain
@@ -52,8 +52,8 @@ security:
enabled: true
```
# External Secrets
# Existing Secrets
We urge you to use external secrets for your confidential credentials.
We urge you to use existing secrets for your confidential credentials.
For further explanation and documentation please visit [External Secrets](./docs/external-secrets.md).
For further explanation and documentation please visit [Existing Secrets](./docs/existing-secrets.md).

2
docs/testing.md
View File

@@ -86,7 +86,7 @@ The following naming scheme is applied for the deployment matrix:
- *Secrets*: Master password based secrets based on `secrets.yaml.gotmpl`
- *Certificates*: Letsencrypt-prod certificates are used.
- *Deployment*: GitLab CI based deployment.
- `funct1`: Different configuration of `functional.yaml`, self-signed-certs [and when available external secrets].
- `funct1`: Different configuration of `functional.yaml`, self-signed-certs [and when available existing secrets].
- `extsrv`: External services (where possible).
- `gitops`: Argo CD based deployment.

8
helmfile/apps/collabora/values.yaml.gotmpl
View File

@@ -40,12 +40,12 @@ collabora:
{{- end }}
username: "collabora-internal-admin"
password: {{ .Values.secrets.collabora.adminPassword | quote }}
{{- if .Values.externalSecrets.collabora.existingSecret.name }}
{{- if .Values.existingSecrets.collabora.existingSecret.name }}
existingSecret:
enabled: true
secretName: {{ .Values.externalSecrets.collabora.existingSecret.name | quote }}
usernameKey: {{ .Values.externalSecrets.collabora.existingSecret.usernameKey | quote }}
passwordKey: {{ .Values.externalSecrets.collabora.existingSecret.passwordKey | quote }}
secretName: {{ .Values.existingSecrets.collabora.existingSecret.name | quote }}
usernameKey: {{ .Values.existingSecrets.collabora.existingSecret.usernameKey | quote }}
passwordKey: {{ .Values.existingSecrets.collabora.existingSecret.passwordKey | quote }}
{{- end }}
fullnameOverride: "collabora"

52
helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl
View File

@@ -27,13 +27,13 @@ configuration:
username:
value: "nextcloud"
secret:
name: {{ .Values.externalSecrets.nextcloud.admin.username.name | quote }}
key: {{ .Values.externalSecrets.nextcloud.admin.username.key | quote }}
name: {{ .Values.existingSecrets.nextcloud.admin.username.name | quote }}
key: {{ .Values.existingSecrets.nextcloud.admin.username.key | quote }}
password:
value: {{ .Values.secrets.nextcloud.adminPassword | quote }}
secret:
name: {{ .Values.externalSecrets.nextcloud.admin.password.name | quote }}
key: {{ .Values.externalSecrets.nextcloud.admin.password.key | quote }}
name: {{ .Values.existingSecrets.nextcloud.admin.password.name | quote }}
key: {{ .Values.existingSecrets.nextcloud.admin.password.key | quote }}
antivirus:
{{- if .Values.antivirus.icap.host }}
@@ -54,13 +54,13 @@ configuration:
username:
value: {{ .Values.cache.nextcloud.username }}
secret:
name: {{ .Values.externalSecrets.cache.nextcloud.username.name | quote }}
key: {{ .Values.externalSecrets.cache.nextcloud.username.key | quote }}
name: {{ .Values.existingSecrets.cache.nextcloud.username.name | quote }}
key: {{ .Values.existingSecrets.cache.nextcloud.username.key | quote }}
password:
value: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
secret:
name: {{ .Values.externalSecrets.cache.nextcloud.password.name | quote }}
key: {{ .Values.externalSecrets.cache.nextcloud.password.key | quote }}
name: {{ .Values.existingSecrets.cache.nextcloud.password.name | quote }}
key: {{ .Values.existingSecrets.cache.nextcloud.password.key | quote }}
host: {{ .Values.cache.nextcloud.host | quote }}
port: {{ .Values.cache.nextcloud.port | quote }}
tls: {{ .Values.cache.nextcloud.tls }}
@@ -106,8 +106,8 @@ configuration:
username:
value: {{ .Values.databases.nextcloud.username | quote }}
secret:
name: {{ .Values.externalSecrets.databases.nextcloud.username.name | quote }}
key: {{ .Values.externalSecrets.databases.nextcloud.username.key | quote }}
name: {{ .Values.existingSecrets.databases.nextcloud.username.name | quote }}
key: {{ .Values.existingSecrets.databases.nextcloud.username.key | quote }}
password:
{{- if or (eq .Values.databases.nextcloud.type "mariadb") (eq .Values.databases.nextcloud.type "mysql") }}
value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
@@ -117,8 +117,8 @@ configuration:
value: {{ .Values.databases.nextcloud.password | quote }}
{{- end }}
secret:
name: {{ .Values.externalSecrets.databases.nextcloud.password.name | quote }}
key: {{ .Values.externalSecrets.databases.nextcloud.password.key | quote }}
name: {{ .Values.existingSecrets.databases.nextcloud.password.name | quote }}
key: {{ .Values.existingSecrets.databases.nextcloud.password.key | quote }}
ldap:
base: {{ .Values.ldap.baseDn | quote }}
@@ -127,8 +127,8 @@ configuration:
password:
value: {{ .Values.secrets.nubus.ldapSearch.nextcloud | quote }}
secret:
name: {{ .Values.externalSecrets.nubus.ldapSearch.nextcloud.name | quote }}
key: {{ .Values.externalSecrets.nubus.ldapSearch.nextcloud.key | quote }}
name: {{ .Values.existingSecrets.nubus.ldapSearch.nextcloud.name | quote }}
key: {{ .Values.existingSecrets.nubus.ldapSearch.nextcloud.key | quote }}
adminGroupName: "managed-by-attribute-FileshareAdmin"
objectstore:
@@ -136,13 +136,13 @@ configuration:
accessKey:
value: {{ .Values.objectstores.nextcloud.username | quote }}
secret:
name: {{ .Values.externalSecrets.objectstores.nextcloud.accessKey.name | quote }}
key: {{ .Values.externalSecrets.objectstores.nextcloud.accessKey.key | quote }}
name: {{ .Values.existingSecrets.objectstores.nextcloud.accessKey.name | quote }}
key: {{ .Values.existingSecrets.objectstores.nextcloud.accessKey.key | quote }}
secretKey:
value: {{ .Values.objectstores.nextcloud.secretKey | default .Values.secrets.minio.nextcloudUser | quote }}
secret:
name: {{ .Values.externalSecrets.objectstores.nextcloud.secretKey.name | quote }}
key: {{ .Values.externalSecrets.objectstores.nextcloud.secretKey.key | quote }}
name: {{ .Values.existingSecrets.objectstores.nextcloud.secretKey.name | quote }}
key: {{ .Values.existingSecrets.objectstores.nextcloud.secretKey.key | quote }}
bucket: {{ .Values.objectstores.nextcloud.bucket | quote }}
host: {{ .Values.objectstores.nextcloud.endpoint | quote }}
region: {{ .Values.objectstores.nextcloud.region | quote }}
@@ -157,8 +157,8 @@ configuration:
password:
value: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
secret:
name: {{ .Values.externalSecrets.keycloak.clientSecret.nextcloudOidc.name | quote }}
key: {{ .Values.externalSecrets.keycloak.clientSecret.nextcloudOidc.key | quote }}
name: {{ .Values.existingSecrets.keycloak.clientSecret.nextcloudOidc.name | quote }}
key: {{ .Values.existingSecrets.keycloak.clientSecret.nextcloudOidc.key | quote }}
opendeskIntegration:
centralNavigation:
@@ -168,8 +168,8 @@ configuration:
password:
value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
secret:
name: {{ .Values.externalSecrets.centralnavigation.apiKey.name | quote }}
key: {{ .Values.externalSecrets.centralnavigation.apiKey.key | quote }}
name: {{ .Values.existingSecrets.centralnavigation.apiKey.name | quote }}
key: {{ .Values.existingSecrets.centralnavigation.apiKey.key | quote }}
oxAppSuite:
enabled: {{ .Values.apps.oxAppSuite.enabled }}
@@ -195,8 +195,8 @@ configuration:
password:
value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
secret:
name: {{ .Values.externalSecrets.postfix.opendeskSystem.password.name | quote }}
key: {{ .Values.externalSecrets.postfix.opendeskSystem.password.key | quote }}
name: {{ .Values.existingSecrets.postfix.opendeskSystem.password.name | quote }}
key: {{ .Values.existingSecrets.postfix.opendeskSystem.password.key | quote }}
host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
port: 587
fromAddress: {{ .Values.smtp.localpartNoReply | quote }}
@@ -214,8 +214,8 @@ configuration:
token:
value: {{ .Values.secrets.nextcloud.metricsToken | quote }}
secret:
name: {{ .Values.externalSecrets.nextcloud.metricsToken.name | quote }}
key: {{ .Values.externalSecrets.nextcloud.metricsToken.key | quote }}
name: {{ .Values.existingSecrets.nextcloud.metricsToken.name | quote }}
key: {{ .Values.existingSecrets.nextcloud.metricsToken.key | quote }}
forbiddenChars: {{ join " " .Values.functional.filestore.naming.forbiddenChars | quote }}

20
helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
View File

@@ -19,8 +19,8 @@ exporter:
token:
value: {{ .Values.secrets.nextcloud.metricsToken | quote }}
secret:
name: {{ .Values.externalSecrets.nextcloud.metricsToken.name | quote }}
key: {{ .Values.externalSecrets.nextcloud.metricsToken.key | quote }}
name: {{ .Values.existingSecrets.nextcloud.metricsToken.name | quote }}
key: {{ .Values.existingSecrets.nextcloud.metricsToken.key | quote }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -91,13 +91,13 @@ aio:
username:
value: {{ .Values.cache.nextcloud.username }}
secret:
name: {{ .Values.externalSecrets.cache.nextcloud.username.name | quote }}
key: {{ .Values.externalSecrets.cache.nextcloud.username.key | quote }}
name: {{ .Values.existingSecrets.cache.nextcloud.username.name | quote }}
key: {{ .Values.existingSecrets.cache.nextcloud.username.key | quote }}
password:
value: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
secret:
name: {{ .Values.externalSecrets.cache.nextcloud.password.name | quote }}
key: {{ .Values.externalSecrets.cache.nextcloud.password.key | quote }}
name: {{ .Values.existingSecrets.cache.nextcloud.password.name | quote }}
key: {{ .Values.existingSecrets.cache.nextcloud.password.key | quote }}
host: {{ .Values.cache.nextcloud.host | quote }}
port: {{ .Values.cache.nextcloud.port | quote }}
tls: {{ .Values.cache.nextcloud.tls }}
@@ -116,8 +116,8 @@ aio:
username:
value: {{ .Values.databases.nextcloud.username | quote }}
secret:
name: {{ .Values.externalSecrets.databases.nextcloud.username.name | quote }}
key: {{ .Values.externalSecrets.databases.nextcloud.username.key | quote }}
name: {{ .Values.existingSecrets.databases.nextcloud.username.name | quote }}
key: {{ .Values.existingSecrets.databases.nextcloud.username.key | quote }}
password:
{{- if or (eq .Values.databases.nextcloud.type "mariadb") (eq .Values.databases.nextcloud.type "mysql") }}
value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
@@ -127,8 +127,8 @@ aio:
value: {{ .Values.databases.nextcloud.password | quote }}
{{- end }}
secret:
name: {{ .Values.externalSecrets.databases.nextcloud.password.name | quote }}
key: {{ .Values.externalSecrets.databases.nextcloud.password.key | quote }}
name: {{ .Values.existingSecrets.databases.nextcloud.password.name | quote }}
key: {{ .Values.existingSecrets.databases.nextcloud.password.key | quote }}
trustedProxy: {{ join " " .Values.cluster.networking.cidr | quote }}
containerSecurityContext:
allowPrivilegeEscalation: false

56
helmfile/apps/notes/values.yaml.gotmpl
View File

@@ -5,8 +5,8 @@ global:
collaborationServerSecret:
value: {{ .Values.secrets.notes.collaborationSecret | quote }}
existingSecret:
name: {{ .Values.externalSecrets.notes.collaborationSecret.name | quote }}
key: {{ .Values.externalSecrets.notes.collaborationSecret.key | quote }}
name: {{ .Values.existingSecrets.notes.collaborationSecret.name | quote }}
key: {{ .Values.existingSecrets.notes.collaborationSecret.key | quote }}
fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -14,8 +14,8 @@ global:
yProviderApiKey:
value: {{ .Values.secrets.notes.collaborationSecret | quote }}
existingSecret:
name: {{ .Values.externalSecrets.notes.collaborationSecret.name | quote }}
key: {{ .Values.externalSecrets.notes.collaborationSecret.key | quote }}
name: {{ .Values.existingSecrets.notes.collaborationSecret.name | quote }}
key: {{ .Values.existingSecrets.notes.collaborationSecret.key | quote }}
fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
@@ -47,8 +47,8 @@ backend:
apiKey:
value: {{ .Values.ai.apiKey }}
existingSecret:
name: {{ .Values.externalSecrets.ai.apiKey.name | quote }}
key: {{ .Values.externalSecrets.ai.apiKey.key | quote }}
name: {{ .Values.existingSecrets.ai.apiKey.name | quote }}
key: {{ .Values.existingSecrets.ai.apiKey.key | quote }}
baseUrl: {{ .Values.ai.endpoint }}
model: {{ .Values.ai.model | quote }}
aws:
@@ -56,13 +56,13 @@ backend:
s3AccessKeyId:
value: {{ .Values.objectstores.notes.username }}
existingSecret:
name: {{ .Values.externalSecrets.objectstores.notes.s3AccessKeyId.name | quote }}
key: {{ .Values.externalSecrets.objectstores.notes.s3AccessKeyId.key | quote }}
name: {{ .Values.existingSecrets.objectstores.notes.s3AccessKeyId.name | quote }}
key: {{ .Values.existingSecrets.objectstores.notes.s3AccessKeyId.key | quote }}
s3SecretAccessKey:
value: {{ .Values.objectstores.notes.secretKey | default .Values.secrets.minio.notesUser | quote }}
existingSecret:
name: {{ .Values.externalSecrets.objectstores.notes.s3SecretAccessKey.name | quote }}
key: {{ .Values.externalSecrets.objectstores.notes.s3SecretAccessKey.key | quote }}
name: {{ .Values.existingSecrets.objectstores.notes.s3SecretAccessKey.name | quote }}
key: {{ .Values.existingSecrets.objectstores.notes.s3SecretAccessKey.key | quote }}
storageBucketName: {{ .Values.objectstores.notes.bucket }}
collaboration:
apiUrl: {{ printf "https://%s.%s/collaboration/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
@@ -73,14 +73,14 @@ backend:
password:
value: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
existingSecret:
name: {{ .Values.externalSecrets.databases.notes.password.name | quote }}
key: {{ .Values.externalSecrets.databases.notes.password.key | quote }}
name: {{ .Values.existingSecrets.databases.notes.password.name | quote }}
key: {{ .Values.existingSecrets.databases.notes.password.key | quote }}
port: {{ .Values.databases.notes.port | quote }}
user:
value: {{ .Values.databases.notes.username | quote }}
existingSecret:
name: {{ .Values.externalSecrets.databases.notes.user.name | quote }}
key: {{ .Values.externalSecrets.databases.notes.user.key | quote }}
name: {{ .Values.existingSecrets.databases.notes.user.name | quote }}
key: {{ .Values.existingSecrets.databases.notes.user.key | quote }}
email:
brandName: "openDesk"
from: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.mailDomain | default .Values.global.domain }}"
@@ -90,13 +90,13 @@ backend:
user:
value: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
existingSecret:
name: {{ .Values.externalSecrets.postfix.opendeskSystem.username.name | quote }}
key: {{ .Values.externalSecrets.postfix.opendeskSystem.username.key | quote }}
name: {{ .Values.existingSecrets.postfix.opendeskSystem.username.name | quote }}
key: {{ .Values.existingSecrets.postfix.opendeskSystem.username.key | quote }}
password:
value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
existingSecret:
name: {{ .Values.externalSecrets.postfix.opendeskSystem.password.name | quote }}
key: {{ .Values.externalSecrets.postfix.opendeskSystem.password.key | quote }}
name: {{ .Values.existingSecrets.postfix.opendeskSystem.password.name | quote }}
key: {{ .Values.existingSecrets.postfix.opendeskSystem.password.key | quote }}
oidc:
enabled: true
rpClientId:
@@ -104,8 +104,8 @@ backend:
rpClientSecret:
value: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
existingSecret:
name: {{ .Values.externalSecrets.keycloak.clientSecret.notes.name | quote }}
key: {{ .Values.externalSecrets.keycloak.clientSecret.notes.key | quote }}
name: {{ .Values.existingSecrets.keycloak.clientSecret.notes.name | quote }}
key: {{ .Values.existingSecrets.keycloak.clientSecret.notes.key | quote }}
opJWKSEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
opAuthorizationEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
@@ -123,25 +123,25 @@ backend:
secretKey:
value: {{ .Values.secrets.notes.djangoSecretKey }}
existingSecret:
name: {{ .Values.externalSecrets.notes.django.secretKey.name | quote }}
key: {{ .Values.externalSecrets.notes.django.secretKey.key | quote }}
name: {{ .Values.existingSecrets.notes.django.secretKey.name | quote }}
key: {{ .Values.existingSecrets.notes.django.secretKey.key | quote }}
createSuperuser: true
superuserEmail:
value: {{ printf "default.admin@%s" .Values.global.domain | quote }}
existingSecret:
name: {{ .Values.externalSecrets.notes.django.superuserEmail.name | quote }}
key: {{ .Values.externalSecrets.notes.django.superuserEmail.key | quote }}
name: {{ .Values.existingSecrets.notes.django.superuserEmail.name | quote }}
key: {{ .Values.existingSecrets.notes.django.superuserEmail.key | quote }}
superuserPassword:
value: {{ .Values.secrets.notes.superuser }}
existingSecret:
name: {{ .Values.externalSecrets.notes.django.superuserPassword.name | quote }}
key: {{ .Values.externalSecrets.notes.django.superuserPassword.key | quote }}
name: {{ .Values.existingSecrets.notes.django.superuserPassword.name | quote }}
key: {{ .Values.existingSecrets.notes.django.superuserPassword.key | quote }}
frontendTheme: "openDesk"
redisUrl:
value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
existingSecret:
name: {{ .Values.externalSecrets.notes.redisUrl.name | quote }}
key: {{ .Values.externalSecrets.notes.redisUrl.key | quote }}
name: {{ .Values.existingSecrets.notes.redisUrl.name | quote }}
key: {{ .Values.existingSecrets.notes.redisUrl.key | quote }}
extraEnvVars:
- name: "FRONTEND_HOMEPAGE_FEATURE_ENABLED"
value: "False"

24
helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
View File

@@ -54,9 +54,9 @@ ics:
session:
secret: {{ .Values.secrets.intercom.secret | quote }}
existingSecret:
name: {{ .Values.externalSecrets.nubus.ics.session.name | quote }}
name: {{ .Values.existingSecrets.nubus.ics.session.name | quote }}
keyMapping:
secret: {{ .Values.externalSecrets.nubus.ics.session.key | quote }}
secret: {{ .Values.existingSecrets.nubus.ics.session.key | quote }}
issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
originRegex: "{{ .Values.global.domain }}"
enableSessionCookie: true
@@ -71,36 +71,36 @@ ics:
id: "opendesk-intercom"
clientSecret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
existingSecret:
name: {{ .Values.externalSecrets.keycloak.clientSecret.intercom.name | quote}}
name: {{ .Values.existingSecrets.keycloak.clientSecret.intercom.name | quote}}
keyMapping:
clientSecret: {{ .Values.externalSecrets.keycloak.clientSecret.intercom.key | quote }}
clientSecret: {{ .Values.existingSecrets.keycloak.clientSecret.intercom.key | quote }}
matrix:
subdomain: {{ .Values.global.hosts.synapse | quote }}
serverName: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
auth:
applicationServiceSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
existingSecret:
name: {{ .Values.externalSecrets.nubus.ics.synapseAsToken.name | quote }}
name: {{ .Values.existingSecrets.nubus.ics.synapseAsToken.name | quote }}
keyMapping:
password: {{ .Values.externalSecrets.nubus.ics.synapseAsToken.key | quote }}
password: {{ .Values.existingSecrets.nubus.ics.synapseAsToken.key | quote }}
nordeck:
subdomain: {{ .Values.global.hosts.matrixNeoDateFixBot | quote }}
portal:
auth:
sharedSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
existingSecret:
name: {{ .Values.externalSecrets.centralnavigation.apiKey.name | quote }}
name: {{ .Values.existingSecrets.centralnavigation.apiKey.name | quote }}
keyMapping:
sharedSecret: {{ .Values.externalSecrets.centralnavigation.apiKey.key | quote }}
sharedSecret: {{ .Values.existingSecrets.centralnavigation.apiKey.key | quote }}
redis:
host: {{ .Values.cache.intercomService.host | quote }}
port: {{ .Values.cache.intercomService.port }}
auth:
password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
existingSecret:
name: {{ .Values.externalSecrets.redis.existingSecret | quote }}
name: {{ .Values.existingSecrets.redis.existingSecret | quote }}
keyMapping:
password: {{ .Values.externalSecrets.redis.existingSecretPasswordKey | quote }}
password: {{ .Values.existingSecrets.redis.existingSecretPasswordKey | quote }}
openxchange:
oci: true
url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
@@ -151,9 +151,9 @@ provisioning:
auth:
username: "kcadmin"
existingSecret:
name: {{ .Values.externalSecrets.keycloak.adminPassword.name | default "ums-opendesk-keycloak-credentials" | quote }}
name: {{ .Values.existingSecrets.keycloak.adminPassword.name | default "ums-opendesk-keycloak-credentials" | quote }}
keyMapping:
passowrd: {{ .Values.externalSecrets.keycloak.adminPassword.key | default "admin_password" | quote }}
passowrd: {{ .Values.existingSecrets.keycloak.adminPassword.key | default "admin_password" | quote }}
image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}

8
helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl
View File

@@ -39,13 +39,13 @@ configuration:
accessKey:
value: {{ .Values.objectstores.nubus.username | quote }}
existingSecret:
name: {{ .Values.externalSecrets.objectstores.nubus.accessKey.name | quote }}
key: {{ .Values.externalSecrets.objectstores.nubus.accessKey.key | quote }}
name: {{ .Values.existingSecrets.objectstores.nubus.accessKey.name | quote }}
key: {{ .Values.existingSecrets.objectstores.nubus.accessKey.key | quote }}
secretKey:
value: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
existingSecret:
name: {{ .Values.externalSecrets.objectstores.nubus.secretKey.name | quote }}
key: {{ .Values.externalSecrets.objectstores.nubus.secretKey.key | quote }}
name: {{ .Values.existingSecrets.objectstores.nubus.secretKey.name | quote }}
key: {{ .Values.existingSecrets.objectstores.nubus.secretKey.key | quote }}
podAnnotations:
{{ .Values.annotations.nubusNginxS3Gateway.pod | toYaml | nindent 2 }}

12
helmfile/apps/nubus/values-nubus-guardian.yaml.gotmpl
View File

@@ -200,25 +200,25 @@ nubusGuardian:
username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
existingSecret:
name: {{ .Values.externalSecrets.databases.umsGuardianManagementApi.password.name | default "ums-guardian-postgresql-opendesk-credentials" | quote }}
name: {{ .Values.existingSecrets.databases.umsGuardianManagementApi.password.name | default "ums-guardian-postgresql-opendesk-credentials" | quote }}
keyMapping:
password: {{ .Values.externalSecrets.databases.umsGuardianManagementApi.password.key | default "guardianDatabasePassword" | quote }}
password: {{ .Values.existingSecrets.databases.umsGuardianManagementApi.password.key | default "guardianDatabasePassword" | quote }}
provisioning:
enabled: false
config:
nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }}
keycloak:
credentialSecret:
name: {{ .Values.externalSecrets.keycloak.adminPassword.name | default "ums-opendesk-keycloak-credentials" | quote }}
key: {{ .Values.externalSecrets.keycloak.adminPassword.key | default "admin_password" | quote }}
name: {{ .Values.existingSecrets.keycloak.adminPassword.name | default "ums-opendesk-keycloak-credentials" | quote }}
key: {{ .Values.existingSecrets.keycloak.adminPassword.key | default "admin_password" | quote }}
realm: {{ .Values.platform.realm | quote }}
username: "kcadmin"
keycloak:
auth:
existingSecret:
name: {{ .Values.externalSecrets.keycloak.clientSecret.guardian.name | default "ums-opendesk-guardian-client-secret" | quote }}
name: {{ .Values.existingSecrets.keycloak.clientSecret.guardian.name | default "ums-opendesk-guardian-client-secret" | quote }}
keyMapping:
password: {{ .Values.externalSecrets.keycloak.clientSecret.guardian.key | default "managementApiClientSecret" | quote }}
password: {{ .Values.existingSecrets.keycloak.clientSecret.guardian.key | default "managementApiClientSecret" | quote }}
connection:
host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
baseUrl: "http://ums-keycloak:8080"

60
helmfile/apps/nubus/values-nubus.yaml.gotmpl
View File

@@ -193,9 +193,9 @@ keycloak:
auth:
username: "kcadmin"
existingSecret:
name: {{ .Values.externalSecrets.keycloak.adminPassword.name | default "ums-opendesk-keycloak-credentials" | quote }}
name: {{ .Values.existingSecrets.keycloak.adminPassword.name | default "ums-opendesk-keycloak-credentials" | quote }}
keyMapping:
adminPassword: {{ .Values.externalSecrets.keycloak.adminPassword.key | default "admin_password" | quote }}
adminPassword: {{ .Values.existingSecrets.keycloak.adminPassword.key | default "admin_password" | quote }}
login:
messages:
de:
@@ -219,9 +219,9 @@ keycloak:
username: {{ .Values.databases.keycloak.username | quote }}
database: {{ .Values.databases.keycloak.name | quote }}
existingSecret:
name: {{ .Values.externalSecrets.databases.keycloak.password.name | default "ums-keycloak-postgresql-opendesk-credentials" | quote }}
name: {{ .Values.existingSecrets.databases.keycloak.password.name | default "ums-keycloak-postgresql-opendesk-credentials" | quote }}
keyMapping:
password: {{ .Values.externalSecrets.databases.keycloak.password.key | default "keycloakDatabasePassword" | quote }}
password: {{ .Values.existingSecrets.databases.keycloak.password.key | default "keycloakDatabasePassword" | quote }}
replicaCount: {{ .Values.replicas.keycloak }}
resources:
{{ .Values.resources.umsKeycloak | toYaml | nindent 4 }}
@@ -445,9 +445,9 @@ nubusKeycloakExtensions:
# TODO: Pending secrets refactoring in component chart. This will refer to
# the secret generated by the keycloak subchart.
existingSecret:
name: {{ .Values.externalSecrets.keycloak.adminPassword.name | default "ums-opendesk-keycloak-credentials" | quote }}
name: {{ .Values.existingSecrets.keycloak.adminPassword.name | default "ums-opendesk-keycloak-credentials" | quote }}
keyMapping:
adminPassword: {{ .Values.externalSecrets.keycloak.adminPassword.key | default "admin_password" | quote }}
adminPassword: {{ .Values.existingSecrets.keycloak.adminPassword.key | default "admin_password" | quote }}
proxy:
additionalAnnotations:
{{ .Values.annotations.nubusKeycloakExtensions.proxyAdditional | toYaml | nindent 6 }}
@@ -526,9 +526,9 @@ nubusKeycloakExtensions:
database: {{ .Values.databases.keycloakExtension.name | quote }}
username: {{ .Values.databases.keycloakExtension.username | quote }}
existingSecret:
name: {{ .Values.externalSecrets.databases.keycloakExtension.password.name | default "ums-keycloak-extensions-postgresql-opendesk-credentials" | quote }}
name: {{ .Values.existingSecrets.databases.keycloakExtension.password.name | default "ums-keycloak-extensions-postgresql-opendesk-credentials" | quote }}
keyMapping:
password: {{ .Values.externalSecrets.databases.keycloakExtension.password.key | default "umcKeycloakExtensionsDatabasePassword" | quote }}
password: {{ .Values.existingSecrets.databases.keycloakExtension.password.key | default "umcKeycloakExtensionsDatabasePassword" | quote }}
smtp:
connection:
host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
@@ -541,9 +541,9 @@ nubusKeycloakExtensions:
# TODO: Pending secrets refactoring in the component chart
password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
existingSecret:
name: {{ .Values.externalSecrets.postfix.opendeskSystem.password.name | default "ums-keycloak-extensions-smtp-opendesk-credentials" | quote }}
name: {{ .Values.existingSecrets.postfix.opendeskSystem.password.name | default "ums-keycloak-extensions-smtp-opendesk-credentials" | quote }}
keyMapping:
password: {{ .Values.externalSecrets.postfix.opendeskSystem.password.key | default "umcKeycloakExtensionsSmtpPassword" | quote }}
password: {{ .Values.existingSecrets.postfix.opendeskSystem.password.key | default "umcKeycloakExtensionsSmtpPassword" | quote }}
handler:
additionalAnnotations:
{{ .Values.annotations.nubusKeycloakExtensions.handlerAdditional | toYaml | nindent 6 }}
@@ -1107,9 +1107,9 @@ nubusProvisioning:
createUsers:
oxConsumer:
existingSecret:
name: {{ .Values.externalSecrets.openxchangeConnector.provisioningApiPassword.name | default "ums-provisioning-ox-credentials" | quote }}
name: {{ .Values.existingSecrets.openxchangeConnector.provisioningApiPassword.name | default "ums-provisioning-ox-credentials" | quote }}
keyMapping:
registration: {{ .Values.externalSecrets.openxchangeConnector.provisioningApiPassword.key | default "ox-connector.json" | quote }}
registration: {{ .Values.existingSecrets.openxchangeConnector.provisioningApiPassword.key | default "ox-connector.json" | quote }}
{{- end }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
@@ -1601,14 +1601,14 @@ nubusKeycloakBootstrap:
auth:
username: "kcadmin"
existingSecret:
name: {{ .Values.externalSecrets.keycloak.adminPassword.name | default "ums-opendesk-keycloak-credentials" | quote }}
name: {{ .Values.existingSecrets.keycloak.adminPassword.name | default "ums-opendesk-keycloak-credentials" | quote }}
keyMapping:
adminPassword: {{ .Values.externalSecrets.keycloak.adminPassword.key | default "admin_password" | quote }}
adminPassword: {{ .Values.existingSecrets.keycloak.adminPassword.key | default "admin_password" | quote }}
ldap:
auth:
bindDn: {{ printf "uid=ldapsearch_keycloak,cn=users,%s" .Values.ldap.baseDn }}
existingSecret:
name: {{ .Values.externalSecrets.nubus.ldapSearch.keycloak.name | default "ums-keycloak-bootstrap-ldap-opendesk-credentials" | quote }}
name: {{ .Values.existingSecrets.nubus.ldapSearch.keycloak.name | default "ums-keycloak-bootstrap-ldap-opendesk-credentials" | quote }}
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-bootstrap"
{{- with .Values.annotations.nubusKeycloakBootstrapNubus.pod }}
@@ -1631,49 +1631,49 @@ nubusKeycloakBootstrap:
# Credential secrets for accessing customer supplied services
extraSecrets:
{{- if and (not .Values.externalSecrets.keycloak.clientSecret.guardian.name)
(not .Values.externalSecrets.keycloak.clientSecret.guardian.key) }}
{{- if and (not .Values.existingSecrets.keycloak.clientSecret.guardian.name)
(not .Values.existingSecrets.keycloak.clientSecret.guardian.key) }}
- name: "ums-opendesk-guardian-client-secret"
stringData:
managementApiClientSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
{{- end }}
{{- if and (not .Values.externalSecrets.keycloak.adminPassword.name)
(not .Values.externalSecrets.keycloak.adminPassword.key) }}
{{- if and (not .Values.existingSecrets.keycloak.adminPassword.name)
(not .Values.existingSecrets.keycloak.adminPassword.key) }}
- name: "ums-opendesk-keycloak-credentials"
stringData:
admin_password: {{ .Values.secrets.keycloak.adminPassword | quote }}
{{- end }}
{{- if and (not .Values.externalSecrets.databases.keycloak.password.name)
(not .Values.externalSecrets.databases.keycloak.password.key) }}
{{- if and (not .Values.existingSecrets.databases.keycloak.password.name)
(not .Values.existingSecrets.databases.keycloak.password.key) }}
- name: "ums-keycloak-postgresql-opendesk-credentials"
stringData:
keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
{{- end }}
{{- if and (not .Values.externalSecrets.databases.umsGuardianManagementApi.password.name)
(not .Values.externalSecrets.databases.umsGuardianManagementApi.password.key) }}
{{- if and (not .Values.existingSecrets.databases.umsGuardianManagementApi.password.name)
(not .Values.existingSecrets.databases.umsGuardianManagementApi.password.key) }}
- name: "ums-guardian-postgresql-opendesk-credentials"
stringData:
guardianDatabasePassword: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
{{- end }}
{{- if and (not .Values.externalSecrets.databases.keycloakExtension.password.name)
(not .Values.externalSecrets.databases.keycloakExtension.password.key) }}
{{- if and (not .Values.existingSecrets.databases.keycloakExtension.password.name)
(not .Values.existingSecrets.databases.keycloakExtension.password.key) }}
- name: "ums-keycloak-extensions-postgresql-opendesk-credentials"
stringData:
umcKeycloakExtensionsDatabasePassword: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
{{- end }}
{{- if and (not .Values.externalSecrets.postfix.opendeskSystem.password.name)
(not .Values.externalSecrets.postfix.opendeskSystem.password.key) }}
{{- if and (not .Values.existingSecrets.postfix.opendeskSystem.password.name)
(not .Values.existingSecrets.postfix.opendeskSystem.password.key) }}
- name: "ums-keycloak-extensions-smtp-opendesk-credentials"
stringData:
umcKeycloakExtensionsSmtpPassword: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
{{- end }}
{{- if and (not .Values.externalSecrets.nubus.ldapSearch.keycloak.name) }}
{{- if and (not .Values.existingSecrets.nubus.ldapSearch.keycloak.name) }}
- name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
stringData:
password: {{ .Values.secrets.nubus.ldapSearch.keycloak | quote }}
{{- end }}
{{- if and (not .Values.externalSecrets.openxchangeConnector.provisioningApiPassword.name)
(not .Values.externalSecrets.openxchangeConnector.provisioningApiPassword.key) }}
{{- if and (not .Values.existingSecrets.openxchangeConnector.provisioningApiPassword.name)
(not .Values.existingSecrets.openxchangeConnector.provisioningApiPassword.key) }}
- name: "ums-provisioning-ox-credentials"
stringData:
ox-connector.json: "{ \"name\": \"ox-connector\", \"realms_topics\": [{\"realm\": \"udm\", \"topic\": \"oxmail/oxcontext\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/accessprofile\"}, {\"realm\": \"udm\", \"topic\": \"users/user\"}, {\"realm\": \"udm\", \"topic\": \"oxresources/oxresources\"}, {\"realm\": \"udm\", \"topic\": \"groups/group\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/functional_account\"}], \"request_prefill\": true, \"password\": \"{{ .Values.secrets.oxConnector.provisioningApiPassword }}\" }"

14
helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
View File

@@ -83,8 +83,8 @@ config:
value:
{{ .Values.functional.authentication.oidc.clients | toYaml | nindent 8 }}
existingSecret:
name: {{ .Values.externalSecrets.functional.authentication.clients.name | quote }}
key: {{ .Values.externalSecrets.functional.authentication.clients.key | quote }}
name: {{ .Values.existingSecrets.functional.authentication.clients.name | quote }}
key: {{ .Values.existingSecrets.functional.authentication.clients.key | quote }}
managed:
clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list',
'offline_access', 'roles', 'address', 'phone' ]
@@ -97,7 +97,7 @@ config:
username: "kcadmin"
password: {{ .Values.secrets.keycloak.adminPassword | quote }}
secret:
name: {{ .Values.externalSecrets.keycloak.adminSecret.name | quote }}
name: {{ .Values.existingSecrets.keycloak.adminSecret.name | quote }}
realm: {{ .Values.platform.realm | quote }}
intraCluster:
enabled: true
@@ -121,8 +121,8 @@ config:
enforceFederatedLogin: {{ .Values.functional.authentication.ssoFederation.enforceFederatedLogin }}
value: {{ .Values.functional.authentication.ssoFederation.idpDict | toYaml | nindent 8 }}
existingSecret:
name : {{ .Values.externalSecrets.functional.authentication.ssoFederation.name | quote }}
key : {{ .Values.externalSecrets.functional.authentication.ssoFederation.key | quote }}
name : {{ .Values.existingSecrets.functional.authentication.ssoFederation.name | quote }}
key : {{ .Values.existingSecrets.functional.authentication.ssoFederation.key | quote }}
twoFactorSettings:
additionalGroups: {{ .Values.functional.authentication.twoFactor.groups | toYaml | nindent 6 }}
precreateGroups: [ 'Domain Admins', 'Domain Users', 'IAM API - Full Access',
@@ -763,8 +763,8 @@ config:
- "opendesk-xwiki-scope"
{{ end }}
existingSecret:
name: {{ .Values.externalSecrets.keycloak.clients.name | quote }}
key: {{ .Values.externalSecrets.keycloak.clients.key | quote }}
name: {{ .Values.existingSecrets.keycloak.clients.name | quote }}
key: {{ .Values.existingSecrets.keycloak.clients.key | quote }}
containerSecurityContext:
allowPrivilegeEscalation: false

20
helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl
View File

@@ -25,8 +25,8 @@ dovecot:
password:
value: {{ .Values.secrets.cassandra.dovecotDictmapUser | quote }}
existingSecret:
name: {{ .Values.externalSecrets.dovecot.dictmapUser.name | quote }}
key: {{ .Values.externalSecrets.dovecot.dictmapUser.key | quote }}
name: {{ .Values.existingSecrets.dovecot.dictmapUser.name | quote }}
key: {{ .Values.existingSecrets.dovecot.dictmapUser.key | quote }}
keyspace: {{ .Values.databases.dovecotDictmap.name | quote }}
sharedMailboxes:
enabled: true
@@ -36,8 +36,8 @@ dovecot:
password:
value: {{ .Values.secrets.cassandra.dovecotACLUser | quote }}
existingSecret:
name: {{ .Values.externalSecrets.dovecot.aclUser.name | quote }}
key: {{ .Values.externalSecrets.dovecot.aclUser.key | quote }}
name: {{ .Values.existingSecrets.dovecot.aclUser.name | quote }}
key: {{ .Values.existingSecrets.dovecot.aclUser.key | quote }}
keyspace: {{ .Values.databases.dovecotACL.name | quote }}
objectStorage:
bucket: {{ .Values.objectstores.dovecot.bucket | quote }}
@@ -45,18 +45,18 @@ dovecot:
privateKey:
value: {{ requiredEnv "DOVECOT_CRYPT_PRIVATE_KEY" | quote }}
existingSecret:
name: {{ .Values.externalSecrets.dovecot.objectStorage.encryption.privateKey.name | quote }}
key: {{ .Values.externalSecrets.dovecot.objectStorage.encryption.privateKey.key | quote }}
name: {{ .Values.existingSecrets.dovecot.objectStorage.encryption.privateKey.name | quote }}
key: {{ .Values.existingSecrets.dovecot.objectStorage.encryption.privateKey.key | quote }}
publicKey:
value: {{ requiredEnv "DOVECOT_CRYPT_PUBLIC_KEY" | quote }}
existingSecret:
name: {{ .Values.externalSecrets.dovecot.objectStorage.encryption.publicKey.name | quote }}
key: {{ .Values.externalSecrets.dovecot.objectStorage.encryption.publicKey.key | quote }}
name: {{ .Values.existingSecrets.dovecot.objectStorage.encryption.publicKey.name | quote }}
key: {{ .Values.existingSecrets.dovecot.objectStorage.encryption.publicKey.key | quote }}
fqdn: {{ .Values.objectstores.dovecot.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
username: {{ .Values.objectstores.dovecot.username | quote }}
password:
value: {{ .Values.objectstores.dovecot.secretKey | default .Values.secrets.minio.dovecotUser | quote }}
existingSecret:
name: {{ .Values.externalSecrets.objectstores.dovecotUser.name | quote }}
key: {{ .Values.externalSecrets.objectstores.dovecotUser.key | quote }}
name: {{ .Values.existingSecrets.objectstores.dovecotUser.name | quote }}
key: {{ .Values.existingSecrets.objectstores.dovecotUser.key | quote }}
...

16
helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
View File

@@ -26,15 +26,15 @@ dovecot:
password:
value: {{ .Values.secrets.dovecot.doveadm | quote }}
existingSecret:
name: {{ .Values.externalSecrets.dovecot.doveadm.name | quote }}
key: {{ .Values.externalSecrets.dovecot.doveadm.key | quote }}
name: {{ .Values.existingSecrets.dovecot.doveadm.name | quote }}
key: {{ .Values.existingSecrets.dovecot.doveadm.key | quote }}
migration:
enabled: {{ .Values.functional.migration.oxAppSuite.enabled }}
masterPassword:
value: {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
existingSecret:
name: {{ .Values.externalSecrets.oxAppSuite.migrationsMasterPassword.name | quote }}
key: {{ .Values.externalSecrets.oxAppSuite.migrationsMasterPassword.key | quote }}
name: {{ .Values.existingSecrets.oxAppSuite.migrationsMasterPassword.name | quote }}
key: {{ .Values.existingSecrets.oxAppSuite.migrationsMasterPassword.key | quote }}
ldap:
enabled: true
host: {{ .Values.ldap.host | quote }}
@@ -44,8 +44,8 @@ dovecot:
password:
value: {{ .Values.secrets.nubus.ldapSearch.dovecot | quote }}
existingSecret:
name: {{ .Values.externalSecrets.nubus.ldapSearch.dovecot.name | quote }}
key: {{ .Values.externalSecrets.nubus.ldapSearch.dovecot.key | quote }}
name: {{ .Values.existingSecrets.nubus.ldapSearch.dovecot.name | quote }}
key: {{ .Values.existingSecrets.nubus.ldapSearch.dovecot.key | quote }}
loginTrustedNetworks: {{ join " " .Values.cluster.networking.cidr | quote }}
oidc:
@@ -55,8 +55,8 @@ dovecot:
clientSecret:
value: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
existingSecret:
name: {{ .Values.externalSecrets.keycloak.clientSecret.dovecot.name | quote }}
key: {{ .Values.externalSecrets.keycloak.clientSecret.dovecot.key | quote }}
name: {{ .Values.existingSecrets.keycloak.clientSecret.dovecot.name | quote }}
key: {{ .Values.existingSecrets.keycloak.clientSecret.dovecot.key | quote }}
introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
usernameAttribute: "opendesk_username"

8
helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
View File

@@ -62,13 +62,13 @@ postfix:
username:
value: {{ .Values.smtp.username }}
existingSecret:
name: {{ .Values.externalSecrets.smtp.username.name | quote }}
key: {{ .Values.externalSecrets.smtp.username.key | quote }}
name: {{ .Values.existingSecrets.smtp.username.name | quote }}
key: {{ .Values.existingSecrets.smtp.username.key | quote }}
password:
value: {{ .Values.smtp.password }}
existingSecret:
name: {{ .Values.externalSecrets.smtp.password.name | quote }}
key: {{ .Values.externalSecrets.smtp.password.key | quote }}
name: {{ .Values.existingSecrets.smtp.password.name | quote }}
key: {{ .Values.existingSecrets.smtp.password.key | quote }}
smtpSASLAuthEnable: "yes"
{{- end }}
allowRelayNets: false

16
helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl
View File

@@ -26,25 +26,25 @@ config:
username:
value: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
secret:
name: {{ .Values.externalSecrets.openproject.apiAdmin.username.name | quote }}
key: {{ .Values.externalSecrets.openproject.apiAdmin.username.key | quote }}
name: {{ .Values.existingSecrets.openproject.apiAdmin.username.name | quote }}
key: {{ .Values.existingSecrets.openproject.apiAdmin.username.key | quote }}
password:
value: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
secret:
name: {{ .Values.externalSecrets.openproject.apiAdmin.password.name | quote }}
key: {{ .Values.externalSecrets.openproject.apiAdmin.password.key | quote }}
name: {{ .Values.existingSecrets.openproject.apiAdmin.password.name | quote }}
key: {{ .Values.existingSecrets.openproject.apiAdmin.password.key | quote }}
nextcloud:
admin:
username:
value: "nextcloud"
secret:
name: {{ .Values.externalSecrets.nextcloud.admin.username.name | quote }}
key: {{ .Values.externalSecrets.nextcloud.admin.username.key | quote }}
name: {{ .Values.existingSecrets.nextcloud.admin.username.name | quote }}
key: {{ .Values.existingSecrets.nextcloud.admin.username.key | quote }}
password:
value: {{ .Values.secrets.nextcloud.adminPassword | quote }}
secret:
name: {{ .Values.externalSecrets.nextcloud.admin.password.name | quote }}
key: {{ .Values.externalSecrets.nextcloud.admin.password.key | quote }}
name: {{ .Values.existingSecrets.nextcloud.admin.password.name | quote }}
key: {{ .Values.existingSecrets.nextcloud.admin.password.key | quote }}
containerSecurityContext:
allowPrivilegeEscalation: false

4
helmfile/apps/opendesk-services/values-certificates.yaml.gotmpl
View File

@@ -72,8 +72,8 @@ selfSigned:
password:
value: {{ .Values.secrets.certificates.password | quote }}
secret:
name: {{ .Values.externalSecrets.certificates.password.name | quote }}
key: {{ .Values.externalSecrets.certificates.password.key | quote }}
name: {{ .Values.existingSecrets.certificates.password.name | quote }}
key: {{ .Values.existingSecrets.certificates.password.key | quote }}
wildcard: {{ .Values.certificate.wildcard }}
...

28
helmfile/apps/openproject/values.yaml.gotmpl
View File

@@ -36,11 +36,11 @@ dbInit:
{{ .Values.resources.openprojectDbInit | toYaml | nindent 4 }}
environment:
{{- if and (not .Values.externalSecrets.openproject.environment)
{{- if and (not .Values.existingSecrets.openproject.environment)
(and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.openproject.token) }}
OPENPROJECT_SEED__ENTERPRISE__TOKEN: {{ .Values.enterpriseKeys.openproject.token | quote }}
{{- end }}
{{- if not .Values.externalSecrets.openproject.environment }}
{{- if not .Values.existingSecrets.openproject.environment }}
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
@@ -142,10 +142,10 @@ postgresql:
password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
username: {{ .Values.databases.openproject.username | quote }}
database: {{ .Values.databases.openproject.name | quote }}
existingSecret: {{ .Values.externalSecrets.databases.openproject.name | quote }}
existingSecret: {{ .Values.existingSecrets.databases.openproject.name | quote }}
secretKeys:
adminPasswordKey: {{ .Values.externalSecrets.databases.openproject.adminPasswordKey | quote }}
userPasswordKey: {{ .Values.externalSecrets.databases.openproject.userPasswordKey | quote }}
adminPasswordKey: {{ .Values.existingSecrets.databases.openproject.adminPasswordKey | quote }}
userPasswordKey: {{ .Values.existingSecrets.databases.openproject.userPasswordKey | quote }}
connection:
host: {{ .Values.databases.openproject.host | quote }}
port: {{ .Values.databases.openproject.port }}
@@ -171,9 +171,9 @@ openproject:
# Lock the admin user, preventing internal logins.
# Switch to true once the NC filestore bootstrapping is optimized.
locked: false
secret: {{ .Values.externalSecrets.openproject.adminUser.name | quote }}
secret: {{ .Values.existingSecrets.openproject.adminUserPassword.name | quote }}
secretKeys:
password: {{ .Values.externalSecrets.openproject.adminUser.key | quote }}
password: {{ .Values.existingSecrets.openproject.adminUserPassword.key | quote }}
oidc:
enabled: true
authorizationEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
@@ -183,10 +183,10 @@ openproject:
provider: "keycloak"
scope: "[openid,opendesk-openproject-scope]"
secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
existingSecret: {{ .Values.externalSecrets.keycloak.clientSecret.openproject.name | quote }}
existingSecret: {{ .Values.existingSecrets.keycloak.clientSecret.openproject.name | quote }}
secretKeys:
identifier: {{ .Values.externalSecrets.keycloak.clientSecret.openproject.identifier | quote }}
secret: {{ .Values.externalSecrets.keycloak.clientSecret.openproject.key | quote }}
identifier: {{ .Values.existingSecrets.keycloak.clientSecret.openproject.identifier | quote }}
secret: {{ .Values.existingSecrets.keycloak.clientSecret.openproject.key | quote }}
tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
attribute_map:
@@ -195,7 +195,7 @@ openproject:
useTmpVolumes: true
tmpVolumesAnnotations:
{{ .Values.annotations.openproject.openprojectTempVolumes | toYaml | nindent 4 }}
extraEnvVarsSecret: {{ .Values.externalSecrets.openproject.environment | quote }}
extraEnvVarsSecret: {{ .Values.existingSecrets.openproject.environment | quote }}
serviceAccount:
annotations:
@@ -239,10 +239,10 @@ s3:
auth:
accessKeyId: {{ .Values.objectstores.openproject.username | quote }}
secretAccessKey: {{ .Values.objectstores.openproject.secretKey | default .Values.secrets.minio.openprojectUser | quote }}
existingSecret: {{ .Values.externalSecrets.objectstores.openproject.name | quote }}
existingSecret: {{ .Values.existingSecrets.objectstores.openproject.name | quote }}
secretKeys:
accessKeyId: {{ .Values.externalSecrets.objectstores.openproject.accessKeyId | quote }}
secretAccessKey: {{ .Values.externalSecrets.objectstores.openproject.secretAccessKey | quote }}
accessKeyId: {{ .Values.existingSecrets.objectstores.openproject.accessKeyId | quote }}
secretAccessKey: {{ .Values.existingSecrets.objectstores.openproject.secretAccessKey | quote }}
seederJob:
annotations:

8
helmfile/apps/services-external/values-cassandra.yaml.gotmpl
View File

@@ -21,9 +21,9 @@ dbUser:
user: "root"
password: {{ .Values.secrets.cassandra.rootPassword | quote }}
existingSecret:
name: {{ .Values.externalSecrets.cassandra.existingSecret.name | quote }}
name: {{ .Values.existingSecrets.cassandra.existingSecret.name | quote }}
keyMapping:
cassandra-password: {{ .Values.externalSecrets.cassandra.existingSecret.passwordKey | quote }}
cassandra-password: {{ .Values.existingSecrets.cassandra.existingSecret.passwordKey | quote }}
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -38,7 +38,7 @@ ingress:
annotations:
{{ .Values.annotations.cassandra.ingress | toYaml | nindent 6 }}
{{- if not .Values.externalSecrets.cassandra.initDBSecret }}
{{- if not .Values.existingSecrets.cassandra.initDBSecret }}
initDB:
initUserData.cql: >
CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
@@ -51,7 +51,7 @@ initDB:
GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }};
{{- end }}
initDBSecret: {{ .Values.externalSecrets.cassandra.initDBSecret | quote }}
initDBSecret: {{ .Values.existingSecrets.cassandra.initDBSecret | quote }}
# Will print a warning if unset but is automatically calculated:
jvm:

10
helmfile/apps/services-external/values-minio.yaml.gotmpl
View File

@@ -19,9 +19,9 @@ apiIngress:
auth:
rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
existingSecret: {{ .Values.externalSecrets.minio.existingSecret | quote }}
rootUserSecretKey: {{ .Values.externalSecrets.minio.rootUserSecretKey | quote }}
rootPasswordSecretKey: {{ .Values.externalSecrets.minio.rootPasswordSecretKey | quote }}
existingSecret: {{ .Values.existingSecrets.minio.existingSecret | quote }}
rootUserSecretKey: {{ .Values.existingSecrets.minio.rootUserSecretKey | quote }}
rootPasswordSecretKey: {{ .Values.existingSecrets.minio.rootPasswordSecretKey | quote }}
commonAnnotations:
{{ .Values.annotations.servicesExternalMinio.common | toYaml | nindent 2 }}
@@ -225,7 +225,7 @@ provisioning:
actions:
- "s3:*"
{{- end }}
{{- if not .Values.externalSecrets.minio.usersExistingSecrets }}
{{- if not .Values.existingSecrets.minio.usersExistingSecrets }}
users:
- username: {{ .Values.objectstores.migrations.username | quote }}
password: {{ .Values.secrets.minio.migrationsUser | quote }}
@@ -272,7 +272,7 @@ provisioning:
setPolicies: true
{{- end }}
{{- else }}
usersExistingSecrets: {{ .Values.externalSecrets.minio.usersExistingSecrets }}
usersExistingSecrets: {{ .Values.existingSecrets.minio.usersExistingSecrets }}
{{- end }}
resources:
{{ .Values.resources.minio | toYaml | nindent 4 }}

16
helmfile/apps/services-external/values-postfix.yaml.gotmpl
View File

@@ -67,13 +67,13 @@ postfix:
username:
value: {{ .Values.smtp.username }}
existingSecret:
name: {{ .Values.externalSecrets.smtp.username.name | quote }}
key: {{ .Values.externalSecrets.smtp.username.key | quote }}
name: {{ .Values.existingSecrets.smtp.username.name | quote }}
key: {{ .Values.existingSecrets.smtp.username.key | quote }}
password:
value: {{ .Values.smtp.password }}
existingSecret:
name: {{ .Values.externalSecrets.smtp.password.name | quote }}
key: {{ .Values.externalSecrets.smtp.password.key | quote }}
name: {{ .Values.existingSecrets.smtp.password.name | quote }}
key: {{ .Values.existingSecrets.smtp.password.key | quote }}
smtpSASLAuthEnable: "yes"
{{- end }}
# Warning: This setting allows unauthenticated mail relay from relayNets!
@@ -95,13 +95,13 @@ postfix:
username:
value: "opendesk-system"
existingSecret:
name: {{ .Values.externalSecrets.postfix.opendeskSystem.username.name | quote }}
key: {{ .Values.externalSecrets.postfix.opendeskSystem.username.key | quote }}
name: {{ .Values.existingSecrets.postfix.opendeskSystem.username.name | quote }}
key: {{ .Values.existingSecrets.postfix.opendeskSystem.username.key | quote }}
password:
value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
existingSecret:
name: {{ .Values.externalSecrets.postfix.opendeskSystem.password.name | quote }}
key: {{ .Values.externalSecrets.postfix.opendeskSystem.password.key | quote }}
name: {{ .Values.existingSecrets.postfix.opendeskSystem.password.name | quote }}
key: {{ .Values.existingSecrets.postfix.opendeskSystem.password.key | quote }}
{{- if .Values.antivirus.milter.host }}
smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"

4
helmfile/apps/services-external/values-redis.yaml.gotmpl
View File

@@ -6,8 +6,8 @@ architecture: "standalone"
auth:
password: {{ .Values.secrets.redis.password | quote }}
existingSecret: {{ .Values.externalSecrets.redis.existingSecret | quote }}
existingSecretPasswordKey: {{ .Values.externalSecrets.redis.existingSecretPasswordKey | quote }}
existingSecret: {{ .Values.existingSecrets.redis.existingSecret | quote }}
existingSecretPasswordKey: {{ .Values.existingSecrets.redis.existingSecretPasswordKey | quote }}
commonAnnotations:
{{ .Values.annotations.servicesExternalRedis.common | toYaml | nindent 2 }}

30
helmfile/apps/xwiki/values.yaml.gotmpl
View File

@@ -31,8 +31,8 @@ javaOptsSecrets:
option: "-Djavax.net.ssl.trustStorePassword="
value: {{ .Values.secrets.certificates.password }}
secret:
name: {{ .Values.externalSecrets.certificates.password.name | quote }}
key: {{ .Values.externalSecrets.certificates.password.key | quote }}
name: {{ .Values.existingSecrets.certificates.password.name | quote }}
key: {{ .Values.existingSecrets.certificates.password.key | quote }}
{{- end }}
externalDB:
@@ -45,10 +45,10 @@ externalDB:
user: {{ .Values.databases.xwiki.username | quote }}
host: {{ printf "%s:%d" .Values.databases.xwiki.host .Values.databases.xwiki.port | quote }}
customKeyRef:
{{- if .Values.externalSecrets.databases.xwiki.password.name }}
{{- if .Values.existingSecrets.databases.xwiki.password.name }}
enabled: true
name: {{ .Values.externalSecrets.databases.xwiki.password.name | quote }}
key: {{ .Values.externalSecrets.databases.xwiki.password.key | quote }}
name: {{ .Values.existingSecrets.databases.xwiki.password.name | quote }}
key: {{ .Values.existingSecrets.databases.xwiki.password.key | quote }}
{{- else }}
enabled: false
{{- end }}
@@ -129,25 +129,25 @@ customConfigsSecrets:
xwiki.superadminpassword:
value: {{ .Values.secrets.xwiki.superadminpassword | quote }}
secret:
name: {{ .Values.externalSecrets.xwiki.xwikiSuperadminpassword.name | quote }}
key: {{ .Values.externalSecrets.xwiki.xwikiSuperadminpassword.key | quote }}
name: {{ .Values.existingSecrets.xwiki.xwikiSuperadminpassword.name | quote }}
key: {{ .Values.existingSecrets.xwiki.xwikiSuperadminpassword.key | quote }}
{{ end }}
xwiki.authentication.ldap.bind_pass:
value: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }}
secret:
name: {{ .Values.externalSecrets.nubus.ldapSearch.xwiki.name | quote }}
key: {{ .Values.externalSecrets.nubus.ldapSearch.xwiki.key | quote }}
name: {{ .Values.existingSecrets.nubus.ldapSearch.xwiki.name | quote }}
key: {{ .Values.existingSecrets.nubus.ldapSearch.xwiki.key | quote }}
xwiki.properties:
oidc.secret:
value: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
secret:
name: {{ .Values.externalSecrets.keycloak.clientSecret.xwiki.name | quote }}
key: {{ .Values.externalSecrets.keycloak.clientSecret.xwiki.key | quote }}
name: {{ .Values.existingSecrets.keycloak.clientSecret.xwiki.name | quote }}
key: {{ .Values.existingSecrets.keycloak.clientSecret.xwiki.key | quote }}
workplaceServices.portalSecret:
value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
secret:
name: {{ .Values.externalSecrets.centralnavigation.apiKey.name | quote }}
key: {{ .Values.externalSecrets.centralnavigation.apiKey.key | quote }}
name: {{ .Values.existingSecrets.centralnavigation.apiKey.name | quote }}
key: {{ .Values.existingSecrets.centralnavigation.apiKey.key | quote }}
ingress:
enabled: {{ .Values.ingress.enabled }}
@@ -256,8 +256,8 @@ properties:
## Properties listed in the secret file will overwrite plain values
propertiesSecret:
name: {{ .Values.externalSecrets.xwiki.propertiesSecret.name | quote }}
key: {{ .Values.externalSecrets.xwiki.propertiesSecret.key | quote }}
name: {{ .Values.existingSecrets.xwiki.propertiesSecret.name | quote }}
key: {{ .Values.existingSecrets.xwiki.propertiesSecret.key | quote }}
cluster:
replicas: {{ .Values.replicas.xwiki }}

4
helmfile/environments/default/external_secrets.yaml.gotmpl → helmfile/environments/default/existing_secrets.yaml.gotmpl
View File

@@ -3,7 +3,7 @@ SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlic
SPDX-License-Identifier: Apache-2.0
*/}}
---
externalSecrets:
existingSecrets:
ai:
apiKey:
name: ~
@@ -214,7 +214,7 @@ externalSecrets:
accessKeyId: ~
secretAccessKey: ~
openproject:
adminUser:
adminUserPassword:
name: ~
key: ~
apiAdmin: